diff options
author | Darren Tucker <dtucker@dtucker.net> | 2019-11-02 16:39:38 +1100 |
---|---|---|
committer | Darren Tucker <dtucker@dtucker.net> | 2019-11-02 16:39:38 +1100 |
commit | f5cc5816aaddb8eca3cba193f53e99d6a0b37d05 (patch) | |
tree | 806820158e00a433744f3742d8eafe10fe8faf93 /configure.ac | |
parent | ad38406fc95fa223b0ef2edf8ff50508f8ab1cb6 (diff) | |
download | openssh-git-f5cc5816aaddb8eca3cba193f53e99d6a0b37d05.tar.gz |
Only enable U2F if OpenSSL supports ECC.
This requires moving the U2F bits to below the OpenSSL parts so we have
the required information. ok djm@
Diffstat (limited to 'configure.ac')
-rw-r--r-- | configure.ac | 74 |
1 files changed, 40 insertions, 34 deletions
diff --git a/configure.ac b/configure.ac index 4baaa62a..bc28d074 100644 --- a/configure.ac +++ b/configure.ac @@ -1909,44 +1909,10 @@ AC_ARG_ENABLE([security-key], ] ) -# PKCS11/U2F depend on OpenSSL and dlopen(). AC_SEARCH_LIBS([dlopen], [dl]) AC_CHECK_FUNCS([dlopen]) AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>]) -enable_pkcs11=yes -enable_sk=yes -if test "x$openssl" != "xyes" ; then - enable_pkcs11="disabled; missing libcrypto" - enable_sk="disabled; missing libcrypto" -fi -if test "x$ac_cv_func_dlopen" != "xyes" ; then - enable_pkcs11="disabled; missing dlopen(3)" - enable_sk="disabled; missing dlopen(3)" -fi -if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then - enable_pkcs11="disabled; missing RTLD_NOW" - enable_sk="disabled; missing RTLD_NOW" -fi -if test ! -z "$disable_pkcs11" ; then - enable_pkcs11="disabled by user" -fi -if test ! -z "$disable_sk" ; then - enable_sk="disabled by user" -fi - -AC_MSG_CHECKING([whether to enable PKCS11]) -if test "x$enable_pkcs11" = "xyes" ; then - AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support]) -fi -AC_MSG_RESULT([$enable_pkcs11]) - -AC_MSG_CHECKING([whether to enable U2F]) -if test "x$enable_sk" = "xyes" ; then - AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support]) -fi -AC_MSG_RESULT([$enable_sk]) - # IRIX has a const char return value for gai_strerror() AC_CHECK_FUNCS([gai_strerror], [ AC_DEFINE([HAVE_GAI_STRERROR]) @@ -3015,6 +2981,9 @@ if test "x$openssl" = "xyes" ; then test x$enable_nistp521 = x1; then AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) AC_CHECK_FUNCS([EC_KEY_METHOD_new]) + openssl_ecc=yes + else + openssl_ecc=no fi if test x$enable_nistp256 = x1; then AC_DEFINE([OPENSSL_HAS_NISTP256], [1], @@ -3055,6 +3024,43 @@ else AC_CHECK_FUNCS([crypt]) fi +# PKCS11/U2F depend on OpenSSL and dlopen(). +enable_pkcs11=yes +enable_sk=yes +if test "x$openssl" != "xyes" ; then + enable_pkcs11="disabled; missing libcrypto" + enable_sk="disabled; missing libcrypto" +fi +if test "x$openssl_ecc" != "xyes" ; then + enable_sk="disabled; OpenSSL has no ECC support" +fi +if test "x$ac_cv_func_dlopen" != "xyes" ; then + enable_pkcs11="disabled; missing dlopen(3)" + enable_sk="disabled; missing dlopen(3)" +fi +if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then + enable_pkcs11="disabled; missing RTLD_NOW" + enable_sk="disabled; missing RTLD_NOW" +fi +if test ! -z "$disable_pkcs11" ; then + enable_pkcs11="disabled by user" +fi +if test ! -z "$disable_sk" ; then + enable_sk="disabled by user" +fi + +AC_MSG_CHECKING([whether to enable PKCS11]) +if test "x$enable_pkcs11" = "xyes" ; then + AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support]) +fi +AC_MSG_RESULT([$enable_pkcs11]) + +AC_MSG_CHECKING([whether to enable U2F]) +if test "x$enable_sk" = "xyes" ; then + AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support]) +fi +AC_MSG_RESULT([$enable_sk]) + AC_CHECK_FUNCS([ \ arc4random \ arc4random_buf \ |